2-36 Security Guide for Oracle Business Intelligence Enterprise Edition Application Role placeholder disappears from the Administration Tool interface. Always create a corresponding Application Role in the policy store before bringing the repository back online when using role placeholders in offline repository development. For more information about how to create a placeholder for an Application Role during repository development, see Oracle Fusion Middleware Metadata Repository Builders Guide for Oracle Business Intelligence Enterprise Edition.

2.6 Managing Presentation Services Catalog Privileges Using Application Roles

This section explains how to manage Oracle BI Presentation Catalog privileges using Application Roles, and contains the following topics: ■ Section 2.6.1, Overview ■ Section 2.6.2, About Presentation Services Catalog Privileges ■ Section 2.6.3, Setting Oracle BI Presentation Catalog Privileges for an Application Role ■ Section 2.6.4, Advanced Security Configuration Topics

2.6.1 Overview

The Oracle BI Presentation Server uses Presentation Services Catalog privileges to control access to features such as Answers, Delivers, and BI Publisher. The default Oracle Business Intelligence Application Roles BIAdministrator, BIAuthor, BIConsumer are automatically configured with these privileges during installation, in addition to the Oracle Business Intelligence Application Policy permissions. Systems upgraded from a previous release can continue to use Catalog groups to grant these privileges, but this is not considered a best practice. Best practice is to use Application Roles to manage privileges, which streamlines the security management process. For example, using the same set of Application Roles throughout the system eliminates the need to manage a separate set of Catalog groups and member lists. For more information regarding how to continue using upgraded Catalog groups to manage Presentation Services Catalog privileges, see Section A.2.1, Changes Affecting Security in Presentation Services . When groups are assigned to Application Roles, the group members are automatically granted associated Presentation Services Catalog privileges. This is in addition to the Oracle Business Intelligence permissions.

2.6.2 About Presentation Services Catalog Privileges

Presentation Services Catalog privileges are maintained in BI Presentation Catalog. Presentation Services privileges control access only to Presentation Services Catalog Note: Assigning an Application Role to be a member of a Catalog group creates complex group inheritance and maintenance situations and is not considered a best practice. Tip: A list of Application Roles that a user is a member of is available from the Roles and Groups tab in the My Account dialog in Presentation Services. Managing Security Using the Default Security Configuration 2-37 features. These privileges grant or deny access rights to Presentation Services features and have no effect in other Oracle Business Intelligence components. Being a member of a group assigned to a default Application Role grants Presentation Services Catalog privileges, in addition to the Oracle Business Intelligence permissions discussed in Section B.4.1.3, Default Application Roles, Permission Grants, and Group Mappings . The Presentation Services Catalog privileges granted by a default Application Role can be modified by adding or removing default privilege grants using the Manage Privileges page. Whenever a new catalog is created, it is populated with the default Application Role to Presentation Services Catalog privilege mappings. If you have changed the default mappings and want to see the default associations, create a new catalog by pointing to a file location where no catalog exists. When the Oracle BI Presentation Server starts, a catalog is created as part of the initialization process. Presentation Services privileges can be granted to users both explicitly and by inheritance. However, explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of group or Application Role hierarchy.

2.6.3 Setting Oracle BI Presentation Catalog Privileges for an Application Role